SSL/Early TLS Migration Guide

On February 13, 2015, the PCI SSC released a bulletin announcing that Secure Socket Layer (SSL) is no longer considered a secure, strong cryptographic protocol for the transmission of data. The special bulletin, which can be found here, stated the following:

The National Institute of Standards and Technology (NIST) has identified the Secure Socket Layers (SSL) v3.0 protocol (a cryptographic protocol designed to provide secure communications over a computer network) as no longer being acceptable for protection of data due to inherent weaknesses within the protocol. Because of these weaknesses, no version of SSL meets PCI SSC’s definition of “strong cryptography,” and revisions to the PCI Data Security Standard (PCI DSS) and the Payment Application Data Security Standard (PA-DSS) are necessary.

Soon thereafter, the first version of TLS, TLS 1.0, was also considered insecure. As of 05/18/16 and PCI DSS version 3.2, TLS 1.1 is the minimally accepted standard. That being said, PCI DSS 3.2 does not officially come into effect until February 2017, with the SSL and Early TLS to TLS 1.2 migration requirement pushed even further to June 30th, 2018. Although merchants, POS systems and other payment providers now have a little breathing room to prepare for the migration, the payments industry has already begun to move in that direction. We at PCIBlog.org have created this migration guide to assist you in the complexities behind migrating to TLS 1.2 supported systems.

So, let’s get right to it. When we talk about the SSL/Early TLS to TLS 1.1+ migration, we are generally referring to one of two scenarios:

A browser, such as Internet Explorer, Mozilla Firefox, or Google Chrome, resolving a website that has SSL/TLS enabled (e.g., HTTPS), or

A server communicating over the internet (or direct circuit) with a web service utilizing SSL/TLS

Browser Migration: SSL/Early TLS to TLS 1.1+

Supporting TLS 1.1+ for browsers will be relevant for any online portal that your employees utilize, such as a Virtual Terminal or your Merchant Services Provider’s Reporting Portal. Updating browsers to support TLS 1.1 and higher is generally a “behind the scenes” task, and most users will not need to do anything. Most browsers, such as Mozilla Firefox and Google Chrome, are set to automatically update and therefore should already support TLS 1.1 and higher. Internet Explorer, on the other hand, may require you to download Windows Updates that will enable support for TLS 1.1 and higher.

Test TLS Support

(Please note: This link will take you to another page on our site and run a script to test for TLS support. You must disable your pop-up blocker for our site for this test to work.)

If your browser is not currently supporting TLS 1.1 or higher, navigate to your browser’s settings and download the most recent updates. This will enable TLS 1.1+ support. If you would like to require your browser to support TLS 1.1+, follow the steps at the links below:

POS Server Migration: SSL/Early TLS to TLS 1.1+

In modern times, most merchants are processing credit cards utilizing a front-end POS/PMS/ERP system which speaks to a payment gateway or processor over the public internet. This process of communication from one point to another is accomplished securely by SSL/TLS cryptography. The reason that merchants are required to update from SSL/Early TLS to TLS is because both points of communication (i.e., the merchant to payment gateway) must, for ease of terminology, be “speaking the same language.” As PCI DSS version 3.2 is requiring the abandonment of all versions of SSL and TLS 1.1, merchants and payment service providers (PSPs) must upgrade to both abide by the standard and be able to communicate properly with each other.

The process for merchants is to ensure that the system handling the communication with the payment service provider (e.g., payment gateway, processor, etc.) can support TLS 1.1+. Whether or not the system is able to support TLS 1.1 will depend on the Windows Operating System and/or Windows Updates. In most instances of POS architecture, the POS workstations communicate with the POS server, which then communicates with the payment gateway or processor. Therefore, the POS server is the system handling communication, and is the system that would need to support TLS 1.1+. If the workstation/tablet was responsible for speaking to the PSP, then the individual workstation/tablet will need to the proper operating system and/or updates to support TLS 1.1.

Below is a table breakdown of Windows Operating Systems and SSL/TLS support:

SSL-TLS Migration Guide Table

Windows Operating System

SSL 2.0

SSL 3.0

TLS 1.0

TLS 1.1

TLS 1.2

Windows XP & Windows Server 2003

Supported

Supported

Supported

Not Supported

Not Supported

Windows Vista & Windows Server 2008

Supported

Supported

Supported

Not Supported

Not Supported

Windows 7 & Windows Server 2008 R2

Supported

Supported

Supported

Supported

Supported

Windows 8 & Windows Server 2012 or greater

Supported

Supported

Supported

Supported

Supported

For Windows XP, Windows Vista, Server 2003 and Server 2008, Windows Updates will be needed to support TLS 1.1 and higher.

Related

PCI Blog is the most trusted PCI Compliance and IT Security blog on the web. Authored by industry experts within the payments and IT security industries, PCI Blog provides insight on the complex world behind modern compliance and security standards. As a wholly independent source of news within the payments industry, PCI Blog focuses on the ever-changing responsibilities of merchants who accept credit cards. PCI Blog also provides reviews on PCI compliance tools and enterprise security solutions to offer a fair, independent critique of product offerings within the payments industry.